By now you might have realised that the Group Policy setting that previously worked in Windows 8.1 (Accounts: Block Microsoft accounts) no longer blocks the ability to add a Microsoft account via a Windows Store app in Windows 10. Luckily, it is possible block the ability to add a Microsoft Account using PowerShell in Windows 10 by using the Mobile Device Management (MDM) settings. Windows 10 was built to support Open Mobile Alliance (OMA) Device Management (DM), which is a standard approach for applying settings to devices through an MDM solution. Unfortunately, setting MDM settings is no where near as straightforward as Group Policy, but because of the focus on mobile devices, there seems to be a significant focus from the Windows product group to enable this functionality. Frustratingly for the Windows admin in all of us, this can’t easily be set using registry keys.

This article describes how to set the OMA-DM settings which block (or disable) the ability to add a Microsoft Account from Settings and when adding an account via a Windows Store app. If you have an MDM solution, you can use the OMA-URI to set this (See Custom URI settings for Windows 10 devices for more information on the OMA-URI settings for your MDM solution), otherwise you need to follow the steps below.

For the record, I’m not a fan of restricting user access to things like this as these small features increase user satisfaction, if you have a requirement to do so, this is how.

These commands must be run under the context of the local system. If you are doing this using Configuration Manager than the client will execute the script as local system. If you need to do this manually or using a custom process, you can use psexec (download from TechNet – PsExec) to run as local system:
psexec.exe -i -s powershell.exe

Block Microsoft Accounts

To add settings for the MDM_Policy_Config01_Accounts02 class and disable Microsoft accounts, use the code below:

$namespaceName = "root\cimv2\mdm\dmmap"
$className = "MDM_Policy_Config01_Accounts02"
# Create a new instance for $className
New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID="./Vendor/MSFT/Policy/Config"; InstanceID="Accounts"; AllowMicrosoftAccountConnection=0; AllowAddingNonMicrosoftAccountsManually=0}

Get MDM Microsoft Account Settings

To retrieve the current settings for the MDM_Policy_Config01_Accounts02 class, use the code below:

$namespaceName = "root\cimv2\mdm\dmmap"
$className = "MDM_Policy_Config01_Accounts02"
Get-CimInstance -Namespace $namespaceName -ClassName $className

Remove MDM Microsoft Account Setting

To remove the current settings for the MDM_Policy_Config01_Accounts02 class, use the code below:

$namespaceName = "root\cimv2\mdm\dmmap"
$className = "MDM_Policy_Config01_Accounts02"
Get-CimInstance -Namespace $namespaceName -ClassName $className | remove-CIMInstance

Blocked Microsoft Account Experience

Initially, you may think the setting hasn’t worked. Attempting to add a Microsoft account from Accounts in Settings still brings up the sign in screen, however it will fail to complete with this less than ideal message:

Add Microsoft Account Error
Settings App Message When Microsoft Account is blocked.

Thankfully the experience from a Windows Store app is a little bit better. Similar to the process from the Settings app, you can complete the process of signing in, however eventually you will get this error:

Windows Store App Message When Microsoft Account is Blocked
Windows Store App message when Microsoft Account is blocked.

You’ll notice in the image above that after I completed this process my Microsoft Account appears in the Settings app. It still doesn’t allow it to be used for sign in or any other Windows Store app, but it does seem to work for legacy apps like OneDrive. I’ll post more information about this if I encounter any more situations where the Microsoft account in the Settings app is utilised.

More Information

For more information about the WMI Bridge, see WMI providers supported in Windows 10. The MSDN pages for this are really hard to navigate, but if you’re looking to disable Microsoft Accounts, the class you need is MDM_Policy_Config01_Accounts02.

This process was tested in Windows 10 Enterprise 1507 and 1511. I will update with test results from Windows 10 Professional when I get a chance.

DISCLAIMER

Disclaimer: This post is offered “as is” with no warranty. While these commands are tested and working in my environment, it is recommended that you test these scripts in a test environment before using in your production environment.